The problems affected Nginx versions between 0.6.18 and 1.9.9 where the resolver directive was used in the configuration file, according to the advisory posted on the Nginx mailing list. The security flaws included an invalid pointer dereference, a use-after-free condition, and issues with CNAME resolution. Users should upgrade to the latest Nginx versions, 1.9.10 and 1.8.1.

Issues in Nginx resolver

An invalid pointer dereference may occur during DNS server response processing (CVE 2016-0742), which could let an attacker forge UDP packets from the DNS server. This would result in a segmentation fault in a worker process, according to the advisory.

For the second vulnerability, the attacker could trigger arbitrary name resolution to cause segmentation fault in a worker process by exploiting the use-after-free condition during CNAME processing (CVE-2016-0746).

The final security flaw had to do with how CNAME resolution was insufficiently limited and could let attackers trigger arbitrary name resolution to cause resource consumption in worker processes (CVE 2016-0747).

All three vulnerabilities were present only if the resolver directive was used on the targeted system. The severity of the flaws is unknown, but they don't appear to be under active attack at this time.

Non-security bugs included

Nginx also addressed three nonsecurity bugs in version 1.9.10 and eight in version 1.8.1 as part of this update. The team fixed an issue in 1.9.10 where the proxy_protocol parameter of the listen directive did not work well with IPv6 listen sockets, and another where connections to upstream servers were cached incorrectly when using the keepalive directive. The HTTP method in version 1.9.10 was also fixed to keep the original request after X-Accel-Redirect.

Version 1.8.1 fixes a bug introduced in 1.7.11 that prevented Nginx from starting on several old Linux variants, and another where Nginx logs showed "header already sent" alerts when using cache. The version also fixed a segmentation fault in the worker process that occurred if different ssl_session_cache settings were used in different virtual servers and how the SPDY protocol interacted with the ngx_http_spdy_module.

Version 1.8.1 also fixes a segmentation fault in a worker process if the try_files and alias directives were used inside a location given by regular expression. The try_files directive inside a nested location given by a regular expression also did not work correctly if the alias directive was used in the outer location. Other bug fixes involved the proxy_protocol parameter of the listen directive and the expires directive.

Nginx recently released Nginx Plus R8, its flagship product platform, which expands the features available in open source Nginx. The new Web server platform has improved HTTP2 capabilities, OAuth authentication, and HTML5 video caching features. Nginx Plus users should apply updates provided for the commercial version and not the open source version.